Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6676256

Java Plug-In does not obey crossdomain.xml file directives



    • Subcomponent:
    • Introduced In Version:
    • Resolved In Build:
    • CPU:
    • OS:
    • Verification:


      ###@###.### points out that Java Web Start and the Java Plug-In do not obey the crossdomain.xml directives that have emerged as a new standard for allowing certain web services to be accessed from unsigned code:

      "Currently unsigned applications and applets cannot access any resources outside of the domain they were loaded from. This is great for security but makes certain types of applications difficult or impossible to write, such as mashups with the many cool webservices available from Google, Yahoo, etc. All of our competitors (Flash, Silverlight, and AJAX) have support for this. They handle it in one of two ways:

      * Hijack the remote code loading mechanism to provide data. AJAX does this with JSON, which is a form of Javascript. This works because javascript can load additional javascript remotely but cannot load XML or other data files. Encoding data as Javascript hashtables works around this security limitation. This is not feasible for Java since it would require on the fly compilation on the server and some nasty class loader tricks.

      * Allow safe access to webservices using the crossdomain.xml files. This is what Flash and Silverlight do. In brief, if the client app requests a webservice on another domain the Flash environment will first check for some magic xml files on that domain to see if cross site access to particular resources is allowed. If the webservice doesn't allow it then the request is denied. This is what Java should support.

      Silverlight 1 did not have support for cross domain scripting, but in Silverlight 2, they have decided to just reuse the crossdomain.xml system from Flash rather than reinventing the wheel. We should do the same since it would allow usnigned Java applications and applets to access existing webservices safely without requiring those webservices to be modified in any way.

      General info on cross domain xml files:

      Adobe's docs on cross domain xml files.

      Microsoft's docs on cross domain xml files
          http://msdn2.microsoft.com/en-us/library/cc197955(VS.95).aspx "
      Fixing this will also fix some longstanding problems with the National Weather Service applets:


      because these applets attempt to contact http://www.weather.gov/ , which has a crossdomain.xml file.




            kbr Kenneth Russell (Inactive)
            kbr Kenneth Russell (Inactive)
            0 Vote for this issue
            1 Start watching this issue